DATA PRACTICES

What RANKIGI stores. What RANKIGI never stores.

You are the data controller. RANKIGI is the data processor. Here is exactly what that means.

What We Store

Data Type	What We Store	What We Never Store
Agent events	SHA-256 hashes of inputs/outputs	Raw content
Decision metadata	Action type, tool, timestamps	Model outputs, reasoning text
Agent identity	Passport metadata, scope	Agent code, model weights
Human accountability	Owner name, role, acceptance date	Passwords, personal data
Certificates	Number, scores, hashes, dates	Nothing additional

Data Retention by Tier

Tier	Retention	After Subscription End
Free	30 days	Deleted
Starter	90 days	Deleted
Pro	1 year	Deleted within 90 days
Production	2 years	Deleted within 90 days
Enterprise	Custom (2yr+ default)	Configurable

Data Residency

RANKIGI processes and stores data in the United States (AWS us-east-1 via Supabase). Enterprise tier customers can request EU (Frankfurt) or other regions. For EU customers, RANKIGI relies on Standard Contractual Clauses (SCCs). Our DPA is available at rankigi.com/dpa.

Breach Notification Protocol

Within 1 hour: incident response activated. Within 4 hours: affected customers notified. Within 24 hours: public incident report. Within 72 hours: full post-mortem (GDPR requirement).

Because RANKIGI stores only hashes, a breach does not expose your sensitive data. A notification means hash records were accessed — not the actions themselves.

Your Rights

As data controller you have rights to: access, deletion, portability (JSON export), correction, and restriction. Email privacy@rankigi.com. We respond within 30 days.

Sub-processors

Supabase	Database and authentication	United States
Railway	Application hosting	United States
Stripe	Payment processing	United States
Resend	Transactional email	United States

We notify customers of new sub-processor additions 30 days in advance.